InsightCloudSec Release Notes / Aug 27, 2024

Aug 27, 202424.8.27

Release Summary

InsightCloudSec is pleased to announce release version 24.8.27. This release includes 2 new AWS resources with Query Filters and Insights to support them and an improved user experience for the Cloud Details Settings page.

New Permissions: Amazon Web Services (AWS)

These permissions support the new AWS Polly and AWS Comprehend resources. All permissions have been added to the appropriate onboarding user roles.

For AWS Read-Only users:

  • "comprehend:ListPiiEntitiesDetectionJobs"
  • "comprehend:ListSentimentDetectionJobs"
  • "comprehend:ListTargetedSentimentDetectionJobs"
  • "polly:ListSpeechSynthesisTasks"

Missing Permissions: Amazon Web Services (AWS)

These permissions were missing from the Read Only User Role. All permissions have been added to the appropriate onboarding user roles.

For AWS Read-Only users:

  • "waf:GetIPSet"
  • "waf:GetRuleGroup"
  • "waf:GetGeoMatchSet"
  • "waf:ListSubscribedRuleGroups"
  • "wafv2:GetIPSet"
  • "waf-regional:GetGeoMatchSet"
  • "waf-regional:GetIPSet"

New

  • Added support for 2 new AWS resources: Comprehend and Polly.
  • Added the following Query Filters:
    • Database Instance Audit Log Flags
    • Azure Key Vault Not Used To Store Web Apps Secrets
    • Comprehend Job Type
    • Comprehend Job Status
    • Comprehend Job data is Publicly Exposed
    • Comprehend Job Within VPC
    • Comprehend Job Data S3 Bucket Not Restricted To VPC
    • Comprehend Job Volume Encrypted With Cloud Managed Key
    • Speech Synthesis Task Text Type
    • Speech Synthesis Task Status
    • Speech Synthesis Task data is Publicly Exposed
  • Added the following Insights:
    • Database Instance without Connection Log Auditing Events (MySQL Single Server)
    • Web App without AppService HTTP Logs enabled, which maps to the CIS Azure 2.0 Compliance Pack under recommendation 5.1.7 and the CIS Azure 2.1 Compliance Pack under recommendation 5.1.6.
    • Encryption Keys Without Expiration not in an RBAC Key Vault, which maps to the CIS Azure 2.0 and CIS Azure 2.1 Compliance Packs under recommendation 8.2.
    • Secrets Without Expiration not in an RBAC Key Vault, which maps to the CIS Azure 2.0 and CIS Azure 2.1 Compliance Packs under recommendation 8.4.
    • Azure Key Vault not used to store Web App secrets, which maps to the CIS Azure 2.0 Compliance Pack under recommendation 9.11 and the CIS Azure 2.1 Compliance Pack under recommendation 9.10.
    • Comprehend Job Has Publicly Exposed Data
    • Comprehend Job Linked to Bucket Without VPC Restricted Access
    • Comprehend Job Not Within VPC
    • Comprehend Job using Cloud Managed Key Instead of Customer Managed Key for Output Result Encryption
    • Comprehend Job using Cloud Managed Key Instead of Customer Managed Key for Volume Encryption
    • Speech Synthesis Task Has Publicly Exposed Data
  • Modernized and improved the user experience of the Cloud Accounts > Cloud Details > Settings page. The old interface will remain the default experience for now, but a toggle has been added to the page to easily switch between the 2 views.
  • Added Source Document support for the Azure Private Link Service resource.
  • Added the ability to customize the number of days that Event-Driven Harvesting (EDH) service event history records are retained (up to 14 days).

Improved

  • Insights on the Insight Findings tab in the Resource properties panel are now linked to the Insight's details page.
  • Improved the performance of various filters in the Layered Context feature.
  • Publicly accessible resource justifications now list resource names in bold font to improve their readability.
  • Renamed the Encryption Keys Without Expiration to Encryption Keys Without Expiration in an RBAC Key Vault, which maps to the CIS Azure 2.0 and CIS Azure 2.1 Compliance Packs under recommendation 8.1.
  • Renamed the Secrets Without Expiration to Secrets Without Expiration in an RBAC Key Vault, which maps to the CIS Azure 2.0 and CIS Azure 2.1 Compliance Packs under recommendation 8.3.
  • Added the following tags for all Insights mapped under controls for Requirement 2 of the PCI DSS v4.0 Compliance Pack:
    • PCI DSS v4.0 - 2.2.2
    • PCI DSS v4.0 - 2.2.4
    • PCI DSS v4.0 - 2.2.6
    • PCI DSS v4.0 - 2.2.7
  • Increased the Kubernetes API key limit to 5.

Fixed

  • Resolved an issue with different values in the Expiration Date column on the Exemptions page and the Edit Exemption window.
  • The Instance Allows Use Of Vulnerable IMDSv1 Protocol Query Filter has been updated to exclude all instances that have a pending IMDS configuration.
  • Resolved an issue where missing permissions were not being displayed in the Permissions Scanning utility for AWS Web Application Firewalls. The missing permissions were also added to the AWS onboarding CloudFormation Template.
  • Resolved package security vulnerabilities in accordance with our vulnerability resolution policy.
  • Resolved an issue with the FilterLimitExceeded error occurring with the AWS Instance Interface IP Harvester when an event-driven harvest was queued with more than 200 network interfaces.
  • Resolved an issue with downloading JSON from the resource properties panel.